Inside Out defense Blog » danger Detection » What is C2? Command and also Control facilities Explained




Robert Grimmick

A effective cyberattack is about an ext than just acquiring your foot right into the door of one unsuspecting organization. To it is in of any type of real benefit, the attacker requirements to preserve persistence within the target environment, communicate with infected or compromised devices inside the network, and potentially exfiltrate perceptible data. The crucial to accomplishing all these jobs is a robust Command and Control facilities or “C2”. What is C2? In this post, fine answer that question and look at exactly how adversaries use these covert channels of communication channels to bring out highly advanced attacks. We’ll also look at just how to spot and also defend against C2-based attacks.

You are watching: Command and control hacked

What is C2?

Command and Control Infrastructure, also known as C2 or C&C, is the set of tools and also techniques that attackers use to maintain communication with compromised devices following initial exploitation. The certain mechanisms differ greatly between attacks, yet C2 generally consists of one or more covert interaction channels in between devices in a victim organization and also a platform the the attacker controls. This communication channels are offered to concern instructions to the endangered devices, download extr malicious payloads, and also pipe steal data earlier to the adversary.

C2 come in countless different forms. At the time of writing, the MITRE ATT&CK structure lists 16 various command and control techniques, each with a number of sub-techniques that have been it was observed in past cyberattacks. A common strategy is to mix in with other types of legitimate website traffic that may be in usage at the target organization, such together HTTP/HTTPS or DNS. Attackers might take other actions come disguise their C&C callbacks, together as utilizing encryption or unusual types of data encoding.

Command and also control platforms may be fully customized remedies or off-the-shelf products. Popular platforms provided by criminals and penetration testers alike incorporate Cobalt Strike, Covenant, Powershell Empire, and Armitage. 

There are a number of terms girlfriend may additionally hear alongside C2 or C&C:

What is a Zombie?

A Zombie is a computer or other form of connected machine that’s been infected with some form of malware and can it is in remotely managed by a malicious party without the genuine owner’s knowledge or consent. While part viruses, trojans, and also other undesirable programs perform details actions ~ infecting a device, many varieties of malware exist generally to open up a pathway to the attacker’s C2 infrastructure. This “zombie” machines deserve to then it is in hijacked to execute any number of tasks, from forward spam e-mail come taking component in large-scale dispersed Denial the Service attacks (DDoS). 

What is a Botnet?

A botnet is a arsenal of zombie machines that space enlisted for a common illicit purpose. This could be anything indigenous mining cryptocurrency come knocking a website offline through a distributed Denial of service (DDoS) attack. Botnets are usually united approximately a usual C2 infrastructure. It’s additionally common because that hackers come sell access to botnets to other criminals in a type of “attack as a service”. 

What is Beaconing?

Beaconing describes the procedure of an infected device phoning house to an attacker’s C2 framework to inspect for instructions or extr payloads, frequently at consistent intervals. To stop detection, some species of malware beacon at random intervals, or may lie dormant for a period of time before phoning home.

What can Hackers attain with a Command and also Control Infrastructure?

Most organizations have reasonably effective perimeter defenses the make it difficult for an evil one to initiate a connection from the outside world into the organization network without being detected. However, outbound interaction is frequently not as greatly monitored or restricted. This method that malware introduced through a various channel – to speak a phishing email or endangered website – can often develop a channel of communication in the outbound direction that would certainly otherwise it is in impossible. Through this channel open, a hacker can bring out added actions, such as:

Move Laterally v a Victim’s Organization

Once one attacker has actually an early stage foothold, they will usually look for to relocate laterally transparent the organization, using their C2 channels to beam ago information about other master that might be fragile or misconfigured. The very first machine compromised may not be a valuable target, however it serves as a launching pad come access more sensitive parts of the network. This process may be repetitive several times till the attacker gains accessibility to a high-value target prefer a file server or domain controller.

Multi-stage Attacks

The most complex cyberattacks are regularly composed of numerous distinct steps. Often, the early infection is composed of a “dropper” or downloader the calls earlier to the adversary’s C2 infrastructure and also downloads extr malicious payloads. This modular architecture enables an attacker to bring out projects that space both commonly distributed and highly focused. The dropper may infect countless organizations, permitting the attacker to it is in selective and also craft tradition second-stage malware for the most profitable targets. This design also permits an entire decentralized market of cybercrime. One initial accessibility group might sell access to a element target choose a bank or hospital come a ransomware gang, for example.

Exfiltrate Data

C2 networks are frequently bidirectional, definition an attacker can download or “exfiltrate” data native the target atmosphere in addition to sending instructions to compromised hosts. The stolen data have the right to be anything from classified military documents to credit card numbers or an individual information, relying on the victim’s organization. Increasingly, ransomware gangs room using data exfiltration as an included tactic to extort their targets; even if the organization deserve to recover data native backups, the criminals will threaten to release stolen and potentially awkward information.

Other Uses

As stated earlier, botnets are frequently used come launch DDoS attacks versus websites and also other services. Instructions for which web page to assault are ceded over C2. Other species of indict can likewise be issued come zombie devices over C2. For example, big crypto mining botnets have been identified. Even an ext exotic uses have been theorized, varying from making use of C2 regulates to disrupt poll or manipulate power markets.

Command and also Control Models

Though yes sir a wide range of choices for implementing C2, the architecture between malware and the C2 communication will usually look miscellaneous like among the following models:


A centralized command and also control model attributes much choose the timeless client-server relationship. A malware “client” will certainly phone house to a C2 server and also check for instructions. In practice, an attacker’s server-side framework is often far more complex than a single server and also may include redirectors, fill balancers, and defense steps to detect protection researchers and law enforcement. Windy cloud services and also Content shipment Networks (CDNs) are frequently used to hold or mask C2 activity. It’s likewise common because that hackers to deteriorate legitimate websites and use lock to hold command and control servers there is no the owner’s knowledge.

C2 task is frequently discovered reasonably quickly, and the domains and servers associated with a campaign may be eliminated within hrs of their first use. Come combat this, modern-day malware is regularly coded v a list of countless different C2 servers to shot and reach. The most advanced attacks introduce additional layers that obfuscation. Malware has been it was observed fetching a list of C2 servers native GPS coordinates embedded in photos and from comment on Instagram.

Peer-to-Peer (P2P)

In a P2P C&C model, command and control accuse are delivered in a decentralized fashion, through members that a botnet forward messages between one another. Several of the bots might still function as servers, but there is no central or “master” node. This provides it much more challenging to disrupt than a centralized model yet can additionally make the more challenging for the attacker to problem instructions to the whole botnet. P2P networks are sometimes used as a fallback device in situation the primary C2 channel is disrupted.

Out the Band and also Random

A number of unusual techniques have been observed because that issuing instructions come infected hosts. Hackers have made considerable use of society media platforms together unconventional C2 platforms since they are seldom blocked. A project referred to as Twittor aims to administer a totally functional command and also control platform using only straight messages ~ above Twitter. Hackers have likewise been observed utilizing Gmail, IRC chat rooms, and even Pinterest to issue C&C messages to endangered hosts. It’s additionally been theorized that command and control infrastructure might be totally random, through an attacker scanning huge swaths the the internet in hopes of recognize an infected host.

Detecting and also Preventing Command and also Control Traffic


C2 traffic can be notoriously an overwhelming to detect, together attackers walk to great lengths to stop being noticed. There’s a tremendous possibility for defenders, however, together disrupting C2 have the right to prevent a malware infection from transforming into a more serious event like a data breach. In fact, numerous large-scale cyber attacks were initially uncovered when researchers noticed C2 activity. Here are a few general methods for detecting and also stopping command and also control traffic in your own network:

Monitor and also Filter Outbound Traffic

Many institutions pay little attention to web traffic exiting your network, focusing instead top top threats included in incoming traffic. This absence of awareness facilitates an attacker’s command and control activities. Closely crafted egress firewall rule can aid impede one adversary’s capacity to open up up covert channels of communication. For example, limiting outbound DNS request to just servers the the organization controls have the right to reduce the hazard of DNS tunneling. Proxies deserve to be offered to check outbound net traffic, however users must take care to configure SSL/TLS inspection, as hackers have embraced encryption along with the rest of the web. DNS filtering solutions can likewise be used to help prevent C2 callbacks to suspicious or newly registered domains.

Watch because that Beacons

Beacons have the right to be a tell-tale sign of command and also control task within her network, yet they’re often difficult to spot. Most IDS/IPS remedies will pick up top top beacons connected with off-the-shelf frameworks choose Metasploit and also Cobalt Strike, but these can easily be customized through attackers to do detection far more difficult. For deeper network traffic analysis (NTA), a tool like RITA can be used. In some cases, threat searching teams will certainly go therefore far as to manually check packet dumps utilizing a tool favor Wireshark or tcpdump.

Log and also Inspect

Collecting log files from as numerous sources as feasible is an essential when searching for signs of command and control traffic. Often, close analysis is necessary to distinguish in between C2 traffic and legitimate applications. Security experts may have to look for unexplained patterns, study the payloads of seemingly benign HTTPS or DNS requests, and perform other species of statistics analysis. The higher volume of details the analyst or threat hunter has to work with, the better. Far logging and SIEM options can help in this task.

Correlate Data native Multiple Sources

The whole point of preserving a command and also control framework is to carry out some particular action like accessing important records or infecting much more hosts. Searching for C&C task from both a data and network perspective rises the likelihood of learning well-camouflaged cyberattacks. This is exactly the strategy that leaf takes, giving you the deep visibility compelled to spot everything from insider threats to APT groups.

See more: Percentage Calculator: What Is 60% Of 70 ? Calculate 60% Of 70


Command and also Control infrastructure is important to attackers – and also represents an possibility for defenders. Prevent C&C web traffic or dismantling one adversary’s C2 infrastructure have the right to halt a cyberattack in that tracks. Tackling C2 must never be an organization’s single focus and should be component of a larger details security routine that includes an excellent “cyber hygiene” practices, security awareness training for employees, and well-thought-out policies and also procedures. This steps have the right to go a long method towards mitigating the risk posed by command and also control infrastructure.